On Mon, 8 Mar 2004, Brett Simpson wrote:
> Jesper Juhl wrote:
>
> >Nope, that won't work. Besides blocking purely based on name we also run
> >'file' on the attachments and block based on the type of file returned by
> >'file'. So, a windows executable renamed from foo.exe to foo.txt will
> >still be caught as a banned 'exe' file - blocking only based on the name
> >would be way too primitive.
> >
> >
>
> How did you impliment this? I like the idea of checking the file to see
> if the extension matches what is returned by the file command.
>
I use amavisd-new to interface postfix with clam and spamassassin, but
besides that amavisd-new contains functionality to block files based on
extensions and based on the output from file. So I simply told amvisd-new
to enable the 'file' check and told it what responses from file where not
allowed. Here's a stripped down example from my amavisd.conf :
$banned_filename_re = new_RE(
qr'\.[a-zA-Z][a-zA-Z0-9]{0,3}\.(vbs|pif|scr|bat|com|exe|dll)$'i,
qr'.\.(exe|vbs|pif|scr|bat|com)$'i,
qr'.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|
ba_|class|cgi|co_|dll|ex_|ini|jar|wmp|
jse|lnk|mde|mdb|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|
vbe|vbs|wsc|wsf|wsh)$'ix,
qr'^\.(exe|lha)$'i,
qr'^application/x-msdownload$'i,
);
The first "qr" block checks for double extensions like file.foo.exe and
ban such files if the last extension is one of vbs|pif|scr|bat|com|exe|dll
the next two "qr" blocks block files purely based on the last extension.
The next "qr" block blocks based on the output from file(1), and the last
"qr" block blocks based on mime type.
--
Jesper Juhl <[EMAIL PROTECTED]>
Sysadmin, Danmarks Idr�ts-Forbund / Sports Confederation of Denmark
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please http://www.expita.com/nomime.html
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id�70&alloc_id638&op=click
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
